The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D. C. 20551 DIVISION OF BANKING SUPERVISION AND REGULATION SR 99-8 (SUP) March 31, 1999 TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK SUBJECT: Uniform Rating System for Information Technology On January 13, 1999, the Federal Financial Institutions Examination Council (FFIEC) adopted a revised Uniform Rating System for Information Technology (URSIT).1 The FFIEC published the revised rating system in the Federal Register on January 20, 1999 (64 FR 3109). The revised URSIT (Attachment 1 - 58 KB PDF) becomes effective April 1, 1999, and is to be used in information technology examinations of all banks and data processing service providers commencing after that date. The banking agencies originally adopted the URSIT on the recommendation of the FFIEC in 1978. Over the years, the URSIT has proven to be an effective internal supervisory tool for evaluating the condition of an institution's or service provider's information technology function. Changes in information technology as well as in the banking agencies' supervisory policies and procedures, prompted a review and revision of the 1978 rating system. In June 1998, a proposed revision to the URSIT was issued for public comment and distributed to examiners for field-testing. The final revised URSIT incorporates the comments received on the proposal and from the field testing. The revisions include: Additional language to conform the URSIT to the Uniform Financial Institution Rating System (UFIRS).2 Clarification of the component ratings and a reformat of the descriptions for the ratings.3 Two new component categories -- "Development and Acquisition" and "Support and Delivery" which replace "Systems and Programming" and "Operations." An emphasis on the quality of risk management processes in each of the rating components. A requirement that examiners explicitly identify the risk types that are considered in assigning component ratings. In order to facilitate implementation of the URSIT, a guide adapted from the Information Systems Audit and Control Foundation COBIT Implementation Tool Set is provided in Attachment 2 (37 KB PDF). The implementation guide identifies technology concerns and their relationship to specific rating factors. This guidance provides a risk analysis baseline for the identification of critical areas in a risk-focused examination methodology. Should your staff have any questions, please have them contact Michael Martinson, Deputy Associate Director, at 202/452-3640, Heidi Richards, Manager of Specialized Activities, at 202/452-2598, or Blaine Jones, Supervisory EDP Analyst, at 202/452-3759. William A. Ryback Associate Director Attachments Supersedes: SR Letter 78-507 Cross-References: SR Letters 96-38 and 96-26 Notes: 1. The revisions to the URSIT were developed by the staffs of the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. Return to text 2. Refer to SR Letter 96-38, “Uniform Financial Institution Rating System (UFIRS)” Return to text 3. Refer to SR Letter 96-26, “Provision of Individual Components of Supervisory Rating Systems to Management and Boards of Directors” Return to text SR letters | 1999 Home | Banking information and regulation Accessibility | Contact Us Last update: August 11, 2005 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D. C. 20551 DIVISION OF BANKING SUPERVISION AND REGULATION SR 96-26 (SUP) November 15, 1996 TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK SUBJECT: Provision of Individual Components of Supervisory Rating Systems to Management and Boards of Directors It is a longstanding policy of the Federal Reserve to discuss fully and clearly in examination and inspection reports, and in meetings with senior management and boards of directors, supervisory issues, problems, or concerns relating to the institutions under the System's supervision. It has also generally been Federal Reserve practice for some time to provide to senior management and directors the single word descriptions corresponding to the numeric component ratings assigned under the Uniform Financial Institutions Rating System (CAMEL). In an effort to further strengthen communication with supervised institutions, beginning January 1, 1997, the Federal Reserve will provide the numeric and alphabetic component ratings assigned under various supervisory rating systems to senior management and directors. Building upon existing practice, this step is intended to better focus management attention on possible areas of weakness and the need for timely corrective actions. This step is also consistent with a recent recommendation from the FFIEC regarding disclosure of the numeric component ratings assigned under CAMEL. Each Reserve Bank should direct its examiners to begin disclosing component ratings as soon as possible, but no later than January 1, 1997, in summary sections of examination/inspection reports and directors' summaries, as necessary, and in meetings with senior management and directors. This directive applies to the following rating systems: CAMEL (state member banks); BOPEC (bank holding companies); CAMEO (Edge and agreement corporations and overseas subsidiaries of U.S. banks); ROCA (U.S. branches and agencies of foreign banking organizations); the Uniform Interagency Trust Rating System; and the Uniform Interagency Rating System for Data Processing Operations It also applies to the alphabetic component ratings assigned to management under the BOPEC rating system and to the alphabetic components assigned under the Transfer Agent rating system. General guidance on the disclosure of composite and component ratings in examination and inspection reports is attached to this SR letter. In the context of the exit meeting, the examiner should discuss key overall examination findings, including composite and component numeric ratings. Consistent with current practice, ratings are subject to a review by Reserve Bank supervisory officials, and final ratings should be included in the examination or inspection report. In disclosing composite and component ratings, the examiner-in-charge should remind management that the ratings assigned are a part of the findings of the examination or inspection and are privileged and confidential under applicable law. If composite and component ratings are changed between examinations and inspections as a result of off-site analysis, management and directors should be informed of the change. Reserve Banks should inform state banking authorities in their districts of the decision to disclose component ratings and should explain the reasons for this change in Federal Reserve procedures prior to beginning disclosure of component ratings. Component ratings assigned under AEP arrangements by state agencies should be treated by the Reserve Banks in a manner that is consistent with the state's policy regarding disclosure. The guidance included in this SR letter is to be applied going forward, consistent with the approach taken by the other banking agencies. In general, component ratings assigned in the past should be treated in accordance with the policy prevailing at the time. A copy of this letter should be provided to each institution supervised by the Federal Reserve. If there are any questions relating to the disclosure of component ratings, please contact Connie Powell, Supervisory Financial Analyst, at (202-452-3506), or Kevin Bertsch, Supervisory Financial Analyst, at (202-452-5265). Richard Spillenkothen Director ATTACHMENT TRANSMITTED ELECTRONICALLY BELOW Cross SR 88-37, "Disclosure of Numeric Composite Examination and Inspection references: Ratings to Examined/Inspected Institutions" SR 90-21, "Rating System for International Exams" SR 91-21, "EDP Interagency Examination, Scheduling and Distribution Policy" SR 95-22, "Enhanced Framework for Supervising the U.S. Operations of Foreign Banking Organizations" SR 95-51, "Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies" SR 96-10, "Risk-focused Fiduciary Examinations" Guidance on Disclosure of Composite and Component Ratings in Examination and Inspection Reports Page one of the report should list the composite rating for the current examination or inspection and for the two previous examinations or inspections at the top of the page as outlined below for bank examinations. Uniform Financial Institutions Rating System Current Exam Prior Exam Prior Exam Exam Date: 09-03-9X 10-19-9Y 10-22-9Z Composite Rating: 2 2 2 Component Ratings: Capital 2 n/a n/a Asset Quality 2 n/a n/a Management 2 n/a n/a Earnings 2 n/a n/a Liquidity 2 n/a n/a This listing should be followed by the uniform definition of the assigned composite rating. The uniform definitions of the component ratings assigned need not be included in reports; however, they should be made available to management and directors upon request. When combined examination/inspection report formats are used, similar matrices for each composite and component rating assigned should be included in the report. Numeric and alphabetic component ratings should also be included on the pages of reports that discuss findings related to the components. For example, for bank examination reports, the numeric component rating assigned to capital should appear on the capital page of the report. In the case of examinations of independent data processing servicers and financial institutions that provide servicing to other insured financial institutions, examination reports are sometimes provided not only to the examined data processing servicers but also to the institutions that receive servicing from these servicers. Accordingly, in these cases, the composite and component ratings assigned under the Uniform Interagency Rating System for Data Processing Operations should be provided to senior management and directors in the transmittal letter accompanying the examination report rather than in the open section of the examination report.1 Footnotes 1. Additional guidance on the disclosure of composite and component ratings for examinations of information systems will be issued by the FFIEC in the near future. Return to text SR letters | 1996 Home | Banking information and regulation Accessibility | Contact Us Last update: March 29, 2005
@FedFRASER